HomesecurityZoom: Errors allow participants' systems to be compromised!

Zoom: Errors allow participants' systems to be compromised!

Security researchers from Cisco Talos discovered two errors in the popular application Zoom teleconferencing, which can allow a malicious user to perform arbitrarily code in candidate victim devices. Zoom is a popular application teleconference, which is used by people all over the world, to work but also to communicate with friends, relatives or colleagues. These two errors can be exploited invaders for violating participants' systems as well as for executing, placing or compiling files on vulnerable Appliances.

TALOS-2020-1055 / CVE-2020-6109
This error existing in version 4.6.10 of the Zoom client, can be exploited by an attacker, sending a specially "constructed" message to a single user or a group of users. The error is due to what is called "Improper Limitation of a Pathname" and causes a Path traversal, and thus the specially constructed message leads to arbitrary file logging that can lead to arbitrary code execution. According to Cisco Talos, the real thing vulnerability lies in the fact that file names allow path traversal. This means that a specially designed id id feature of the giphy tag could contain a special file path that would compile a file outside the Zoom directory.

TALOS-2020-1056 / CVE-2020-6110
The second error exists in publications 4.6.10 and 4.6.11 of the Zoom Client. A message created by an intruder leads to arbitrary binary planting that could lead to arbitrary implementation code. In addition, an intruder could cause vulnerability by sending an edited message to a target user or group of users.

Finally, with the outbreak of his pandemic COVID-19, many companies worldwide have asked their employees to work from home, which increases the use of teleconferencing applications. So RDP and the platforms teleconferencing is largely targeted by intruders.

Every accomplishment starts with the decision to try.